Security firm exploits Chrome zero-day to hack browser, escape sandbox

[Jack]

French security company Vupen said today that it's figured out how to hack Google's Chrome by sidestepping not only the browser's built-in "sandbox" but also by evading Windows 7's integrated anti-exploit technologies.

"The exploit ... is one of the most sophisticated codes we have seen and created so far, as it bypasses all security features including ASLR/DEP/Sandbox," said Vupen in a blog post Monday. "It is silent (no crash after executing the payload), it relies on undisclosed ('zero-day') vulnerabilities and it works on all Windows systems."

Vupen posted a video demonstration of its exploit on YouTube :


Read more

 

[MrXidus]

Looks like Vupen will be getting a nice amount of cash from Google for figuring this out.

Cheers for sharing Jack.

 

[jamescv7]

Seems they figured out and finally they made a success on vulnerable the sandbox which before that no one can attack it.

 

[HeffeD]

Looks like Vupen will be getting a nice amount of cash from Google for figuring this out.

No, because they don't plan on telling Google how they did it... :huh:

The Vupen researchers said they plan to share technical details of the exploit only with government customers “for defensive and offensive security.” Neither Google nor the public will be privy to the specifics.

Link

 

[Jack]

So finally Chrome was hacked..."good job" Vupen...... the most impressive part is that this exploit runs silently without crashing the browser...
However We should have in mind that this is the very first time when Chrome was hacked...this proves only one thing.... Chrome , right now, it's the most secure browser on the market...
As for the exploit..I've got a feeling that Google will manage to find out how this guys did it....

 

[jamescv7]

On the video from Vupen its just made a quick hacked just a link pasted that was made by Vupen.

 

[Ink]

Bypasses ASLR/DEP/Sandbox.

What about SEHOP?

 

[Jack]

Google engineers claim that Chrome PWN bug is a Flash bug​

Yesterday I reported that security firm VUPEN claimed to have a Google Chrome browser exploit that bypassed the browser’s sandbox and Windows ASLR and DEP security measures. Today Google engineers are claiming that the bug isn’t with Chrome itself but in the Flash player bundled with the browser.

Google security engineer Tavis Ormandy had this to say on Twitter:

“As usual, security journalists don’t bother to fact check. VUPEN misunderstood how sandboxing worked in chrome, and only had a flash bug.”

Side note: To be fair to security journalists, VUPEN doesn’t given them much to go on, and only discloses details of the vulnerability to government organisations and ‘paying’ customers.

Another Google security engineer, Chris Evans, chimed in with this in a reply to another comment on Twitter:

“It’s a legit pwn, but if it requires Flash, it’s not a Chrome pwn. Do Java bugs count as a Chrome pwn too, because we support NPAPI?”

VUPEN, while being open to questions, isn’t answering questions related to the bug. VUPEN CEO Chaouki Bekrar became involved in the conversation with Google engineers on Twitter.

Judging by his responses, I think that it is fair to say that this is indeed a Flash bug and not Chrome bug.

Read more

 

[Jack]

Seems like VUPEN manage to exploit a Flash bug(which come integrated into Chrome)...and not a per say , a Chrome bug........this brings a surprising turn of events.
What do you think..is this Google security engineers defending their product or VUPEN made a mistake when they said ... We pwnd Chrome!

 

[HeffeD]

The way I see it, (and If I'm understanding it correctly) it doesn't really matter if it was a Flash exploit. If they were able to exploit Flash and get it to bypass the Chrome sandbox, (Which is an access rights type of sandbox) it's as good as a Chrome exploit.

Say you install a new home alarm system, and start bragging to everyone you know about how secure all your valuables are now. Then a thief disables a door sensor and enters your home and steals your stuff. Wouldn't you feel a bit silly stating that they didn't really bypass your security system, all they did was bypass a door sensor?

If they're in, that's all that matters. Passing the buck is a bit lame.

 

[Tweak]

I'm inclined to agree with HeffeD and say a breach is a breach, splitting hairs here is irrelevant.

 

[jamescv7]

Well what can we say, as Jack said chrome was pwned, and the only security firm managed that. Google Engineers must take the action to make it tighten so it will not pwned again.

 

[silviu_c]

The way I see it, (and If I'm understanding it correctly) it doesn't really matter if it was a Flash exploit. If they were able to exploit Flash and get it to bypass the Chrome sandbox, (Which is an access rights type of sandbox) it's as good as a Chrome exploit.

Say you install a new home alarm system, and start bragging to everyone you know about how secure all your valuables are now. Then a thief disables a door sensor and enters your home and steals your stuff. Wouldn't you feel a bit silly stating that they didn't really bypass your security system, all they did was bypass a door sensor?

If they're in, that's all that matters. Passing the buck is a bit lame.

If your alarm system only has the door sensor and no additional movement sensor that follows the door sensor than you just got ripped off

Anyway I liked the fact that Google engineers knew what the problem was and I think it's fixed now since we just got a new update with a new version of flash player.

The rest is just a "mine is longer" contest between Vupen and Google.

 

[moonshine]

Easy cash for Vupen, LOL

 

[Jack]

Easy cash for Vupen, LOL

I don't think Vupen said to Google how did they manage to pwned Chrome..... Google engineers most likely spent hours ,if not days investigating the incident.
Also I bet that the Vupen staff spent a lot of time analyzing Chrome to find a hole in it;P
Overall ,like silviu_c said it's good that Google engineers found out what the problem was and most likely fixed it..